How banks can meet financial crime head-on – during and after the pandemic

  • Facebook
  • Twitter
  • Linkedin
  • Email

COVID-19 has disrupted banking for good. The depth of change, and the speed at which it has occurred, has ratcheted up risk levels. The result? An environment ripe for financial crime – especially fraud, cybercrime, and money laundering.

To address these risks – and the regulatory and reputational risks that go with them – and create the foundation for greater resilience in the future, banks need to make five key moves:

1. Combat financial crime with advanced, digital technologies

Already, financial institutions are seeing an increase in pandemic-related fraud and cybercrime, such as phishing emails appearing to be from the World Health Organization, and fraudulent sellers peddling nonexistent face masks. Federal agencies have advised banks to remain alert for malicious or fraudulent transactions and urged that investors be wary of scams.

As threats increase, however, effectively managing financial crime has become more difficult for banks. Staff absences are higher, more employees are working remotely, operational processes have changed, and human oversight is harder to secure.

Using digital technologies to supplement manual effort offers a solution. For example, bots can complete tedious tasks, such as validating customer information against standard databases, more quickly and accurately than people can. This frees up staff to concentrate on more complex work that requires human judgment and improves employee morale and experience in the process. Robotic process automation (RPA) and artificial intelligence are incredibly effective for labor-intensive functions such as know your customer (KYC) and transaction-monitoring processes. And banks can use biometric technologies, such as eye scanning, to validate customer identity quickly, accurately, and remotely, which is especially useful now that many brick-and-mortar branches have closed.

Banks have also seen recent shifts in customer behavior – including spikes in cash withdrawals, growing use of online and digital financial services, and an increase in cryptocurrency-related activity – attributable to the pandemic. Therefore, banks must now reevaluate and redesign anti-money laundering processes, such as KYC and transaction monitoring, which are largely based on detecting anomalies in customer behavior.

Banks should use these redesign efforts as an opportunity to enforce compliance more consistently and with greater productivity and cost efficiency. Digital technologies can help here too. For example, advanced analytics makes it possible for banks to have a more sophisticated and real-time understanding of their clients' changed – and changing – circumstances.

Today's challenges have also revealed other underlying weaknesses. Fragmented data and siloed systems have always been painful for banks to deal with, but now they're making matters even worse. Given new work-from-home arrangements, analysts and investigators will have difficulty accessing the many data sources and systems they need to conduct proper investigations. Banks should aggregate their company's data into a centralized data lake and securely democratize data access, empowering investigators to conduct investigations more thoroughly and efficiently. As regional and global volatility continues, an enhanced approach to data management can also be scaled up to handle demand.

Banks have long struggled to fight the risk of new financial crimes with old technologies. Recent events have only made it harder. Financial institutions that have only dipped their toes in the waters of next-generation financial crime risk management (FCRM) technologies now need to take the plunge.

2. Revisit business continuity planning

Banks' FCRM operations depend on a complex, interconnected, and often globally distributed network of people and technology. Recent events have tested this network. Not surprisingly, most business continuity planning (BCP) has been found lacking.

Banks need to revisit their BCP from the ground up, reviewing policies, practices, and controls and tailoring them to the new environment. Banks will increasingly need to train their people to become bilingual – that is, capable of understanding both FCRM and the technologies that underpin it. And banks will need to make sure that controls and safeguards are in place for effective and extended remote work. For example, redesigning encryption certification policies may better protect customers' personal information.

Finally, banks need to shift to intelligent cloud computing solutions – whether they're public, private, or hybrid – to ensure business continuity. These solutions offer many benefits, including cost efficiency, easy remote access to data, multiple data backups, and scalability. Because some businesses are betting that remote work arrangements will endure even after the current restrictions end, cloud solutions may become even more important.

3. Adjust transaction-monitoring models and processes

To spot financial crime, banks look for anomalies in customers' day-to-day banking activities. But COVID-19 has caused customer behavior to change radically and quickly. Much more activity has become an anomaly. For example, some customers are having their accounts and cards blocked because their activity has dropped off because of quarantine.

As a result, many banks must manage a spike in alerts with fewer staff. And it's possible that some new types of illicit activity aren't even triggering alerts. For example, fraudulent businesses offering fake cures for the virus in an effort to obtain financial account information from bank customers may not yet be on banks' radar screens.

Banks should move quickly to:

  • Update analytical models – Banks need to tweak behavioral anomaly detection models to account for buying patterns encouraged by social distancing.
  • Conduct forensic analysis – To determine illicit activity spurred by the crisis, banks should conduct forensic analysis of transactions since its start. Such analyses may reveal – for example – customers making unusually large payments or a series of payments to a single company, or a business receiving payments and then immediately redistributing funds to a shell or offshore company.
  • Triage transaction-monitoring efforts – Banks should prioritize and focus on scenarios that are more likely to indicate fraud, cybercrime, and money laundering, considering which businesses are still running. Unchanged activity levels among restaurants or bars, for example, might be a sign of potential laundering activities.

And don't forget to document the rationale for changes to your transaction-monitoring processes for auditors and regulators.

4. Double down on third-party risk management and insider threats

In recent years, banks have increasingly joined forces with third parties around the world to deliver new products and solutions to customers. There are many benefits: access to state-of-the-art technology, better operational management, and economies of scale. But these relationships also reduce management's direct control and can introduce new (or elevate existing) operational, reputational, compliance, and strategic risk.

More risk calls for more supervisory focus. Regulators have made it clear that outsourcing an activity or function does not relieve banks of their compliance responsibilities with all applicable securities laws and regulations. And they expect financial institutions to maintain comprehensive and rigorous oversight of these relationships, particularly ones that involve critical activities.

Today, banks' dependencies on third-party providers and technologies have further increased, because allowing staff to work from home, gather, analyze, and secure data, and connect with customers remotely requires them. As such, being able to demonstrate an appropriate governance framework is even more critical. No matter how well prepared your own organization is, it's imperative that your third parties that perform key functions are just as resilient.

Therefore, banks should be increasingly vigilant about third-party risk management. This means strengthening your governance framework by making sure it addresses key questions about planning, selection, contracting, ongoing monitoring, accountability, and termination of third parties. Banks must have confidence that their suppliers and partners employ practices that are just as strong as their own.

Also, if your bank relies on a supplier for a product or service, and the pandemic has affected that supplier, then your bank may have a gap. Having a plan to locate, evaluate, and quickly onboard an alternative third-party provider will be key.

With their privileged access to systems and data, insiders have the potential ability do more accidental or malicious damage than third parties or outside attackers. That threat increases at times of economic uncertainty, when some employees become disgruntled in the face of budget cuts and layoffs, and others consider insider crime as a way to mitigate losses. It is important that institutions strengthen internal controls to surveil employee behavior, data access, and transactions and cultivate a culture of compliance.

5. Strengthen communication with regulators

If there's a silver lining to this crisis, it is stronger partnerships between financial institutions and their regulators.

Regulators know that effectively managing financial crime during this disruptive period is difficult. Some are even ceasing regular inspections or extending the time period for remediating supervisory findings. No regulator, however, will allow institutions to shirk their compliance duties.

One step banks can take to strengthen relationships with regulators at this time is to map out all regulatory commitments and reporting requirements, then determine and communicate to regulators which of them they can complete in a timely manner. Another is to proactively and continuously communicate and document FCRM strategies and plans as part of their ongoing response to the crisis.

Banking is a relationship business. And this is a relationship-defining moment. Financial institutions should use this time to strengthen their partnerships with regulators.

Managing the risk of financial crime – today and tomorrow

Unfortunately, financial criminals don't rest during times of crisis. Instead, they take advantage of the fear, uncertainty, and distraction that surrounds them to ramp up their frauds and schemes. If banks do not change how they assess and manage risk and compliance, they will see a spike in financial crime affecting them and their customers.

And when a hurricane hits, the shoreline never looks the same. So it is also imperative that FCRM management functions reevaluate their overall strategy, operating model, policies, procedures, controls, and operations to create the foundation for greater resilience in the future.

This article was authored by Manish Chopra, global risk and transformation leader, banking and capital markets, Genpact. Versions of this article also appeared in Payments Source under the following headlines:

Learn more about how Genpact can help with financial crime risk and compliance management.

Read more insights to support your business' response to COVID-19

Visit our Building resilience banking and capital markets page

Learn more